{
	"id": "d902e326-673d-4278-91a4-4427426d9a2e",
	"created_at": "2026-04-06T00:06:28.692552Z",
	"updated_at": "2026-04-10T13:12:42.595083Z",
	"deleted_at": null,
	"sha1_hash": "89ce65ebe56c757bc64c2fc0e72c52cfb0f31f11",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56921,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:53:09 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RagnarLocker\n Tool: RagnarLocker\nNames\nRagnarLocker\nRagnar Locker\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(McAfee) The RagnarLocker ransomware first appeared in the wild at the end of\nDecember 2019 as part of a campaign against compromised networks targeted by its\noperators.\nThe ransomware code is small (only 48kb after the protection in its custom packer is\nremoved) and coded in a high programming language (C/C++). Like all ransomware,\nthe goal of this malware is to encrypt all files that it can and request a ransom for\ndecrypting them.\nRagnarLocker’s operators, as we have seen with other bad actors recently, threaten to\npublish the information they get from compromised machines if ransoms are not paid.\nAfter conducting reconnaissance, the ransomware operators enter the victim’s network\nand, in some pre-deployment stages, steal information before finally dropping the\nransomware that will encrypt all files in the victim’s machines.\nThe most notable RagnarLocker attack to date saw this malware deployed in a large\ncompany where the malware operators then requested a ransom of close to $11 million\nUSD in return for not leaking information stolen from the company. In this report we\nwill talk about the sample used in this attack.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9a967e7d-f989-4639-97f8-0ab46c34de1c\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 21 April 2025\nDownload this tool card in JSON format\nAll groups using tool RagnarLocker\nChanged Name Country Observed\nAPT groups\n FIN8 [Unknown] 2016-Dec 2022\n UNC2447 [Unknown] 2020\n Viking Spider [Unknown] 2019-Oct 2023\n3 groups listed (3 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9a967e7d-f989-4639-97f8-0ab46c34de1c\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9a967e7d-f989-4639-97f8-0ab46c34de1c\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9a967e7d-f989-4639-97f8-0ab46c34de1c"
	],
	"report_names": [
		"listgroups.cgi?u=9a967e7d-f989-4639-97f8-0ab46c34de1c"
	],
	"threat_actors": [
		{
			"id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c",
			"created_at": "2025-08-07T02:03:24.910023Z",
			"updated_at": "2026-04-10T02:00:03.713077Z",
			"deleted_at": null,
			"main_name": "GOLD HUXLEY",
			"aliases": [
				"CTG-6969 ",
				"FIN8 "
			],
			"source_name": "Secureworks:GOLD HUXLEY",
			"tools": [
				"Gozi ISFB",
				"Powersniff"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb",
			"created_at": "2022-10-25T16:07:24.380872Z",
			"updated_at": "2026-04-10T02:00:04.966462Z",
			"deleted_at": null,
			"main_name": "Viking Spider",
			"aliases": [],
			"source_name": "ETDA:Viking Spider",
			"tools": [
				"Ragnar Locker",
				"RagnarLocker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5bdde906-0416-42ee-9100-5ebd95dda77a",
			"created_at": "2023-01-06T13:46:38.601977Z",
			"updated_at": "2026-04-10T02:00:03.035842Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK113",
				"G0061"
			],
			"source_name": "MISPGALAXY:FIN8",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "065b7ea2-5920-4270-824e-94ea8a79d197",
			"created_at": "2023-12-08T02:00:05.747632Z",
			"updated_at": "2026-04-10T02:00:03.492858Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2447",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4ec06e5-60c9-4796-9f85-129c77d1652b",
			"created_at": "2023-01-06T13:46:39.21956Z",
			"updated_at": "2026-04-10T02:00:03.249407Z",
			"deleted_at": null,
			"main_name": "VIKING SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:VIKING SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "72d09c17-e33e-4c2f-95db-f204848cc797",
			"created_at": "2022-10-25T15:50:23.832551Z",
			"updated_at": "2026-04-10T02:00:05.336787Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"FIN8",
				"Syssphinx"
			],
			"source_name": "MITRE:FIN8",
			"tools": [
				"BADHATCH",
				"PUNCHBUGGY",
				"Ragnar Locker",
				"PUNCHTRACK",
				"dsquery",
				"Nltest",
				"Sardonic",
				"PsExec",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fc80a724-e567-457c-82bb-70147435e129",
			"created_at": "2022-10-25T16:07:23.624289Z",
			"updated_at": "2026-04-10T02:00:04.691643Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK 113",
				"G0061",
				"Storm-0288",
				"Syssphinx"
			],
			"source_name": "ETDA:FIN8",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BadHatch",
				"BlackCat",
				"Noberus",
				"PSVC",
				"PUNCHTRACK",
				"PoSlurp",
				"Powersniff",
				"PunchBuggy",
				"Ragnar Loader",
				"Ragnar Locker",
				"RagnarLocker",
				"Sardonic",
				"ShellTea"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51",
			"created_at": "2022-10-25T16:07:24.35977Z",
			"updated_at": "2026-04-10T02:00:04.953882Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "ETDA:UNC2447",
			"tools": [
				"7-Zip",
				"AdFind",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DEATHRANSOM",
				"DeathRansom",
				"FIVEHANDS",
				"FOXGRABBER",
				"HELLOKITTY",
				"HelloKitty",
				"KittyCrypt",
				"Mimikatz",
				"PCHUNTER",
				"RCLONE",
				"ROUTERSCAN",
				"Ragnar Locker",
				"RagnarLocker",
				"Rclone",
				"S3BROWSER",
				"SombRAT",
				"Thieflock",
				"WARPRISM",
				"cobeacon",
				"deathransom",
				"wacatac"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433988,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89ce65ebe56c757bc64c2fc0e72c52cfb0f31f11.pdf",
		"text": "https://archive.orkl.eu/89ce65ebe56c757bc64c2fc0e72c52cfb0f31f11.txt",
		"img": "https://archive.orkl.eu/89ce65ebe56c757bc64c2fc0e72c52cfb0f31f11.jpg"
	}
}